If you want to proceed with creating your own certificate authority server, you\u2019ll have to choose between the two primary ways of doing so \u2013 you can build your own completely from scratch or you can go with a managed PKI solution from a third-party vendor. So, what are their pros and cons of each? How will they impact your business? And what are the most common platforms to choose from?<\/p>\n\n\n\n
Let\u2019s hash it out.<\/span><\/p>\n\n\n<\/span><\/span>\n\n\n So, how do you know if creating your own private CA is the way to go? If your site is public facing \u2013 let\u2019s say it\u2019s an ecommerce site, for example \u2013 then you\u2019ll most likely want to use a public CA for your certificate. These certificates are signed by an established root certificate whose keys are included with all the major web browsers and operating systems. That way, your site\u2019s certificate will be automatically trusted out-of-the-box by your visitor\u2019s machines, and they won\u2019t be met with any warnings like the one below:<\/p>\n\n\n On the other hand, if you\u2019re an organization that has its own internal systems and devices that are private to the rest of the outside world, then creating your own private CA can offer many advantages. You won\u2019t have to purchase certificates for every single device and site \u2013 which can get quite pricey very quickly.<\/p>\n\n\n\n A private CA is also ideal for authentication on virtual private networks (VPN), internal wi-fi networks, and other services that use multi-factor authentication. Private certificates work great in those situations – you\u2019ll issue and install them yourself and won\u2019t have to worry about trust warnings because external users won\u2019t be attempting to use the certificates. Only internal users that have already installed your trusted root certificate on their machine should be using them.<\/p>\n\n\n\n With your own private CA, you\u2019ll have full control over things like:<\/p>\n\n\n\n Creating your own certificate authority server also has security benefits for certain situations. Private certificates can be issued with a common name that is not an email address or public hostname\/IP. So, for example, if you want to install a device certificate on an IoT device using public SSL, your only option would be to assign an email address to that device. That\u2019s not very practical and adds an unnecessary degree of complexity to manage.<\/p>\n\n\n\n A private CA also gives you full control over issuance and revocation. You know that nobody can get a certificate from your CA unless you let them. If you secured your IoT network using public SSL instead, then people outside your organization could get certificates issued by the same CA and might be able to use them to join your network (depending on how you set it up). With private certificates, you\u2019re the only one that can grant access (and you can revoke it at any time, as well).<\/p>\n\n\n\n Setting up your own private CA from scratch gives you the highest level of customization and control, but there are also trade-offs you\u2019ll have to consider. Theoretically, setting up your own private CA isn\u2019t all that hard to do. However, doing it properly and comprehensively \u2013 dotting all the I\u2019s and crossing all the t\u2019s \u2013 takes a significant amount of time and expertise. It\u2019s a resource-intensive project and the question of whether or not it\u2019s the better choice than going with a managed third-party solution must be analyzed on an organization-specific basis.<\/p>\n\n\n\n The vast majority of companies aren\u2019t inherently set up to build an effective, enterprise-wide PKI solution. Significant additional investment is usually needed in terms of staff and technical resources because organizations have other higher priority goals that they are focused on – developing new products, improving manufacturing capabilities, supporting their sales force, etc. When deciding which way to go, you\u2019ll want to have a solid understanding of the pros and cons of each option so you can make an informed, intelligent decision that\u2019s best for your organization.<\/p>\n\n\n<\/span><\/span>\n\n\n When considering the costs of building your own certificate authority server from scratch, personnel is often overlooked. First off, you\u2019ll most likely need additional staff with PKI experience to build and manage the private CA. Not only that, but your existing engineering\/IT team\u2019s time is also required. They have other responsibilities pertaining to security and infrastructure, maintaining email servers, wireless systems, audits, penetration testing, and so on. Chances are they don\u2019t have free time to create a private CA, and instead it will pull them off other high-priority work.<\/p>\n\n\n\n Scalability is another challenge that faces those building their own private CA. Organizations tend to craft their CA based on present-day needs, then eventually find that what they came up with won\u2019t be enough for their future needs. For instance, a company sets up their internal CA to issue certificates to devices so that they can be authenticated into their wi-fi network. Then, six months later they realize they need certificates for all their internal servers and want them automatically issued via an API. Suddenly, the scope of the project has expanded into creating an API, requiring even more resources than originally thought. Without in-house PKI expertise, it\u2019s difficult to accurately predict what the finished product ultimately needs to be.<\/p>\n\n\n\n The challenge of scalability is an area where managed solutions usually have the edge. Predicting the future is never easy, but it\u2019s even more difficult if PKI isn\u2019t your organization\u2019s expertise (and for most companies, it isn\u2019t). It\u2019s one of the reasons that a managed PKI solution can be the way to go, since commercial CAs have much better perspectives \u2013 their past experience helps them better prepare and scale for the next few years and beyond.<\/p>\n\n\n\n When it comes to figuring out the dollar cost of your internal CA, that number will depend greatly on the scope and your needs. We\u2019d recommend breaking down the cost considerations by category and then analyzing each. Regardless of the specifics of your organization, you\u2019ll need to budget for the following if you\u2019re creating your CA from scratch:<\/p>\n\n\n\n The biggest reason that companies tend to shy away from hosted solutions and decide to build their own CA is due to misconceptions regarding the costs of the hosted CA solution. For most organizations, their prior experience with commercial CA\u2019s was related to buying SSL certificates for their websites. Therefore, the assumption is made that privately issued certificates will have a similar cost on a per-certificate basis as their publicly trusted SSL certificates. However, issuing a private certificate through a managed CA is almost always a fraction of the cost of the publicly trusted one issued by a commercial CA.<\/p>\n\n\n\n Overall, the managed CA solution has a lower total cost of ownership and drastically less up-front capital investment requirements. And if you\u2019re going the DIY route, there\u2019s more risk involved because anything that\u2019s missing will be on you and you alone to take care of. Remember to think long term and have a thorough understanding of all the potential costs before taking the plunge.<\/p>\n\n\n\n Capability is another area where there are misconceptions about managed CA\u2019s. Organizations think that they will have limited options and won\u2019t be able to do the same things with a hosted CA that they can with a homegrown private CA. Take automated certificate issuance, for example. Most hosted CA platforms have APIs and other tools that allow for automated certificate management, meaning your company won\u2019t need to develop them.<\/p>\n\n\n\n Basically, it comes down to how many development resources you have available. If you already have the talent and infrastructure available to say, build your own API, then going that route will give you the most robust and customizable tools possible.<\/p>\n\n\n\n If you don\u2019t? With a managed CA, you\u2019re getting a hosted solution that\u2019s pre-configured to give you everything you need out of the box. The downside is that there\u2019s less flexibility and customization versus doing it from scratch. That being said, the options available should be sufficient for the vast majority of customers. <\/p>\n\n\n\n Hosted solutions also allow your engineering and IT teams to remain focused on your company\u2019s highest priority projects. They aren\u2019t designing the private CA \u2013 that work has already been done by the vendor \u2013 and the resources required for administering the hosted CA are a fraction of what it takes to build it from scratch.<\/p>\n\n\n\n Finally, there is a belief that hosted CA solutions limits flexibility and confines users to specific certificate profiles. However, you won\u2019t necessarily be limited to certificate profiles that are approved by the CA\/B Forum<\/a>. Many vendors are willing to create custom certificate profiles to meet your needs. DigiCert, for instance, can provide non-SSL certificate profiles that don\u2019t even necessarily have to be X.509 type<\/a>. If you have specialized requirements, it\u2019s definitely worth reaching out to vendors to see what they have to offer \u2013 odds are you won\u2019t be disappointed.<\/p>\n\n\n\n Managed CAs can also offer improved device support depending on the situation. As we\u2019ll talk about shortly, Microsoft CA is the most popular platform for creating your own CA. While it offers some automation via Active Directory, you\u2019re out of luck for any non-Windows servers or devices you may be using. Managed CAs usually include a PKI manager that that will work with all your devices. Therefore, a managed CA can potentially be the best option not only for new CA deployments, but for supplementing an existing Microsoft CA instance, as well.<\/p>\n\n\n\n If you\u2019ve decided that creating your own certificate authority server from scratch is the best option for your organization, then your next step will be to decide on the platform you want to use. Two of the most widely used tools are Microsoft CA<\/strong> and OpenSSL<\/strong>.<\/p>\n\n\n\n The most common platform for private CAs is Microsoft CA<\/strong>. It is part of the Windows Server OS. Note that it isn\u2019t enabled by default but must be installed by selecting Certificate Services<\/em> in the \u201cadditional Windows components\u201d section of Add\/Remove Programs. Microsoft CA integrates with Active Directory, so if you already have that set up in your organization, then that will make things easier when configuring Microsoft CA. Once you\u2019re finished, you\u2019ll then be able to issue certificates to your domain-connected devices via group policies. You can read about how to get started with Microsoft CA with this tutorial<\/a>.<\/p>\n\n\n The downside of Microsoft CA is that deploying it is not a trivial task. While the basic setup steps are pretty straightforward, doing it right will take a significant amount of time. You\u2019ll want to have a dedicated team that\u2019s experienced in PKI to handle the implementation and then manage it afterwards. So, while technically Microsoft CA is free (as we mentioned, it\u2019s included in Microsoft Server), don\u2019t forget to consider the costs of the additional personnel and hardware.<\/p>\n\n\n\n OpenSSL<\/strong> has the benefit of being free and open source. It\u2019s a cryptographic library that incudes command-line tools for generating and managing digital certificates, which you can configure to serve as a certificate authority. You can generate private keys, create CSRs, install certificates, and view certificate information. This tutorial can help<\/a> you learn the basics of OpenSSL and get started with generating and installing your own private certificates.<\/p>\n\n\n\n Now let\u2019s take a look at some of the most popular managed solutions for creating your own certificate server. Sectigo and DigiCert both have their own platforms for creating and managing your private CA.<\/p>\n\n\n\n DigiCert\u2019s option is called the DigiCert\u00ae Trust Lifecycle Manager<\/a>, and is designed for scalability and streamlined management. There\u2019s a number of deployment options, including:<\/p>\n\n\n\n It allows for Active Directory integration and autoenrollment and is capable of quickly issuing large numbers of certificates across your enterprise. It also includes pre-configured certificate profiles for things like VPNs, wi-fi networks, REST API, Adobe, and Microsoft. You\u2019re also able to manage all your certificate types from a single dashboard, including issuance, installation, and revocation.<\/p>\n\n\n Secito Private PKI<\/a> is similar to DigiCert\u00ae\u2019s Trust Lifecycle Manager in that it\u2019s a managed platform that gives you the power to issue private certificates of all types without having to deploy and manage your own separate server. Like other managed CA solutions, Sectigo Private PKI requires significantly less resources than building your own CA from scratch. It enables users to issue, install, renew, and revoke certificates via a proven and scalable infrastructure.<\/p>\n\n\n Sectigo Private PKI also works with any existing internal CAs you already have setup and running. For example, if you already have a Microsoft CA deployment, then Sectigo Private PKI can integrate and augment it. The two main benefits are that it lets you issue certificates to non-Microsoft devices and applications, and it provides a powerful management platform that is more robust and easier-to-use than the out-of-the-box Microsoft CA.<\/p>\n\n\n\n In addition to that, you\u2019re getting:<\/p>\n\n\n\n All these tasks are critical to a successful private CA and would otherwise cost upwards of hundreds of thousands of dollars total to do on your own, not to mention the time and staff requirements that would also be needed.<\/p>\n\n\n<\/span><\/span>\n\n\n As we\u2019ve seen, there are benefits to both routes. If your organization has a clear idea of what it needs and has the budget and resources to accomplish it, then creating your own certificate authority server from scratch gives you the highest degree of customization and control. For most companies, however, PKI isn\u2019t a primary focus nor a core competency. Because of the degree of expertise, time, and money required, hosted CA solutions are usually the best bet. And thanks to the evolved state of most of the private PKI platforms available, you won\u2019t be making significant sacrifices in terms of features and capabilities once you get your managed private CA up and running.<\/p>\n\n\n\n We Take a Look at the Various Options You Have for Creating Your Own Certificate Authority Server and the Pros and Cons of Each When it comes to securing your…<\/p>\n","protected":false},"author":37,"featured_media":14547,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[10200,25],"tags":[],"class_list":["post-14545","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-monthly-digest","category-ssl-certificates","post-without-tags"],"views":37539,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/05\/bigstock-Diy-Do-It-Yourself-Text-Words-412497022.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/14545","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/37"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=14545"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/14545\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/14547"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=14545"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=14545"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=14545"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Why Run Your Own Certificate Authority Server?<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/05\/Picture5.jpg\")
\n
Building Your Own Internal CA vs Managed Private CA<\/h2>\n\n\n\n
Personnel<\/h3>\n\n\n\n
Scalability<\/h3>\n\n\n\n
Cost<\/h3>\n\n\n\n
\n
Capabilities<\/h3>\n\n\n\n
Flexibility<\/h3>\n\n\n\n
Popular Platforms for Creating Your Own Certificate Authority Server<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/05\/Picture1-1.png\")
Managed Solutions for Creating Your Own Certificate Server<\/h2>\n\n\n\n
DigiCert\u00ae Trust Lifecycle Manager<\/h3>\n\n\n\n
\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/05\/Picture4.png\")
Sectigo Private PKI<\/h3>\n\n\n\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/05\/Picture3.png\")
\n
Hosted or Internal?<\/h2>\n\n\n\n
Looking for More CA-Related Content?<\/h2>\n\n\n\n
\n